[tbb-bugs] #17568 [Tor Browser]: Clean up tor-control-port.js in Torbutton
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Nov 10 02:01:09 UTC 2015
#17568: Clean up tor-control-port.js in Torbutton
---------------------------+--------------------------
Reporter: gk | Owner: tbb-team
Type: task | Status: new
Priority: Medium | Milestone:
Component: Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-torbutton | Actual Points:
Parent ID: | Points:
Sponsor: |
---------------------------+--------------------------
Comment (by cypherpunks):
Why the case-insensitive flag ("i") when the pattern does not contain any
alphabetic character?
Seems like you should also drop the multiline flag ("m") when you are only
trying to match a single-line reply.
Aside:
I was trying to track the input back to Tor's output and stumbled across
the 6500-lines control.c... So what I was wondering was:
- In general, what is the threat expectation here? What has to be
considered adversary-controlled input?
- Is it worth re-implementing the full control protocol parser in JS so
that you can verify each reply?
- Hopefully control.c takes a good defensive parsing approach. Does
control.c offer some guarantees about its output so that JS can just rely
on it?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17568#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list